Bit9 Hack Part of Targeted Attack

Tuesday, February 12, 2013 @ 06:02 PM gHale

“We can only speculate, but we believe the attack on us was part of a larger campaign against a particular and narrow set of companies,” said Bit9 CTO Harry Sverdlove.

At the same time, security provider Bit9 promised to release limited details of a hack caused by a failure of the company to install the same security software on its own network that it sells to its Fortune 500 companies.

Waltham, MA-based Bit9 provides a platform that aims, among other functions, to block the installation of malicious applications. Although its product did not suffer compromise, hackers found a weakness in company servers that issue code-signing certificates.

Once compromised, the hackers issued certificates for their own malicious software, which then made it to the networks of three Bit9 customers.

Bit9 doesn’t list its customers by name on its website. But it said more than 1,000 companies use its software, including Fortune 500 companies in banking, energy, aerospace and defense and U.S. federal government agencies.

With Bit9’s certificate, the malicious software looked at first glance as if it were legitimate and coming from the company. A valid certificate, however, isn’t a free pass for malware since other kinds of security software may determine by its actions if an application is behaving in unusual ways and block it.

Bit9 Chief Executive Patrick Morley disclosed the hack on Friday on a company blog. He said “due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network.”

Bit9 will share limited information as the investigation continues, Sverdlove said. “For anyone who has ever been involved in an investigation of this type, you know that absolute or complete information is not always possible, so I can’t promise that every puzzle piece will be revealed.”

Bit9 has shared cryptographic hashes, a kind of digital footprint of the files fraudulently signed with Bit9’s certificate, Sverdlove said. The company plans to release more network information, tactics and files.